b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n          COMPLIANCE WITH\n DISABILITY DETERMINATION SERVICES\n   SECURITY REVIEW REQUIREMENTS\n\n\n\n    February 2008   A-05-07-17082\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                              SOCIAL SECURITY\nMEMORANDUM\n\nDate:      February 6, 2008                                                            Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Compliance with Disability Determination Services Security Review Requirements\n           (A-05-07-17082)\n\n\n           OBJECTIVE\n\n           Our objectives were to assess (1) the Social Security Administration\xe2\x80\x99s (SSA)\n           procedures for selecting Disability Determination Services (DDS) offices for on-site\n           Security Reviews, (2) SSA\xe2\x80\x99s system for ensuring appropriate correction of deficiencies\n           identified through Security Reviews, and (3) additional steps SSA can take to enhance\n           the Security Review process.\n\n           BACKGROUND\n           SSA must comply with applicable Federal law1 associated with management controls\n           and provide assurances that its financial, program and administrative processes are\n           functioning as intended. SSA designed the Management Control Review (MCR)\n           Program to satisfy such Federal requirements. The MCR Program is implemented at\n           DDS offices using the DDS Security Self-Review Checklist. These reviews cover a\n           number of systematic and physical security elements including (1) automated system\n           security, (2) systems access, (3) perimeter and internal office security, and\n           (4) emergency preparedness and disaster recovery.\n\n           There are 52 DDSs located in the 50 States, the District of Columbia and Puerto Rico.\n           Each DDS is required to have a Security Review conducted by the Center for Security\n           and Integrity (CSI) at least once every 5 years. 2 The CSI in each region is required to\n           develop and maintain a 5-year review plan for all DDSs in its respective region. The\n           plan should include all DDS locations to be reviewed.\n\n\n\n\n           1\n               Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982, Public Law 97-255.\n           2\n            SSA, Program Operations Manual System (POMS), DI 39566.140 B.2.b., DDS Compliance and\n           Monitoring Procedures.\n\x0cPage 2 - The Commissioner\n\n\nMost of the Security Reviews are conducted by CSI; however, SSA also uses\ncontractors to conduct Security Reviews on its behalf. In years when CSI does not\nconduct a Security Review, the DDS offices are responsible for conducting a self-review\nusing the same criteria CSI uses for its Security Review. 3\n\nWhen performing the Security Review, CSI follows SSA policy in POMS, 4 which\ncontains the DDS Security Self-Review Checklist. 5 Within 45 days of completing the\nSecurity Review, CSI prepares a report that describes the deficiencies identified during\nthe review and provides recommendations to resolve the deficiencies. The report is\nsubmitted to the regional Center for Disability Programs (CDP) with copies to the Office\nof Disability Determinations and the Division of Financial Integrity. CDP provides the\nSecurity Review report to the DDS office.\n\nRESULTS OF REVIEW\nGenerally, we found SSA\xe2\x80\x99s procedures were effective for selecting DDS offices for on-\nsite Security Reviews and ensuring correction of deficiencies identified through Security\nReviews. However, we found some improvements were needed. Specifically:\n\n\xe2\x80\xa2     we identified 6 DDS offices did not undergo a Security Review during the 5-year\n      period ended September 30, 2006;\n\n\xe2\x80\xa2     6 of 32 DDS offices undergoing a Security Review during the 2-year period ended\n      September 30, 2006 did not submit a corrective action plan (CAP) in accordance\n      with SSA requirements; and\n\n\xe2\x80\xa2     29 of 122 Security Review deficiencies at 5 of the 9 DDS offices we reviewed were\n      not corrected at the time of our review.\n\nWe also identified some areas that should be included in the Security Review process.\nSpecifically, the DDS Security Self-Review Checklist could be more comprehensive,\ncovering additional topics such as protection of sensitive data as well as properly\nsecuring computers and computer room doors.\n\n\n\n\n3\n    SSA, POMS DI 39566.140 B.1.b., DDS Compliance and Monitoring Procedures.\n4\n    SSA, POMS DI 39566, DDS Privacy and Security.\n5\n    SSA, POMS DI 39566.186, Security Self-Review Checklist \xe2\x80\x93 Exhibit 7.\n\x0cPage 3 - The Commissioner\n\n\nDISABILITY DETERMINATION SERVICES OFFICES NOT REVIEWED\n\nDuring the 5-year period ended September 30, 2006, we found that a Security Review\nwas not conducted at six DDS offices in five regions. In Table 1, we identify the\nlocations and the reasons Security Reviews were not conducted.\n\n                             Table 1: Security Reviews Not Conducted\n                Office\n    Region     Location                                        Status\n      I      Waterbury,       CSI postponed the Security Review until 2007 because the DDS\n              Vermont         office was undergoing electronic claims training in 2006.\n      II      Endicott,       CSI considered a review conducted in 2004 by an independent\n             New York1        contractor to be sufficient to meet the Security Review requirement.2\n      V       St. Paul,       A Security Review was not conducted because regional policies\n             Minnesota        prohibit travel to perform the reviews unless other work is to be\n                              conducted at the same location. Since no other work was scheduled\n                              at this location in Fiscal Year (FY) 2006, the year the Security\n                              Review was originally scheduled, the review was postponed until FY\n                              2007.\n     VIII      Aurora,        CSI considered a review conducted in 2003 by an independent\n              Colorado        contractor to be sufficient to meet the Security Review requirement.2\n      IX      Tucson,         A Security Review was not conducted because regional policies\n                      3\n              Arizona         prohibit travel to perform the reviews unless other work is to be\n                              conducted at the same location. Since no other work was scheduled\n                              at this location in FY 2006, the year the Security Review was\n                              originally scheduled, the review was postponed until FY 2007.\n             Sacramento,      CSI established a 5-year review cycle that excluded the\n              California      Sacramento, California DDS location from review. CSI plans to\n               (Central       conduct the Security Review in 2007.\n                         4\n             Operations)\nNote 1: The New York DDS is decentralized with offices in six locations.\nNote 2: While the contractors in question reviewed security controls at selected DDS offices as a part of\nthe annual Financial Statement audit, they were not engaged in this instance to conduct Security Reviews\nnor did they use the checklist that CSI uses for Security Reviews. Therefore, these reviews are not as\ncomprehensive and cannot be considered as replacements for CSI Security Reviews.\nNote 3: The Arizona DDS is decentralized with offices in two locations.\nNote 4: The California DDS is decentralized with offices in 14 locations.\n\nFor the six DDSs that did not conduct Security Reviews, we reviewed our prior DDS\nadministrative cost audits that assessed limited areas of the general security controls\nenvironment. In these reports, we noted general security control vulnerabilities in such\nareas as inventory controls, contingency plans, off-site storage for electronic backup\nfiles, intrusion detection systems, perimeter access, and controls over computer\nsecurity. For example, at the Minnesota DDS, 6 we found issues related to the need to\n\n\n6\n SSA Office of the Inspector General, Administrative Costs Claimed by the Minnesota Disability\nDetermination Services (A-05-04-14036), page 3, September 2004.\n\x0cPage 4 - The Commissioner\n\n\n\xe2\x80\xa2     finalize a contingency plan;\n\xe2\x80\xa2     identify an off-site storage facility for electronic data backup files; and\n\xe2\x80\xa2     review perimeter security.\n\nHad our audit of the Minnesota DDS office not been performed, these previously\nidentified security-related deficiencies could have gone undetected and even resulted in\nthe loss or compromise of sensitive data. For this reason, we believe CSI should\nensure all DDS offices are reviewed every 5 years or provide written justification if\nSecurity Reviews will not be performed.\n\nCORRECTIVE ACTION PLAN\n\nWe found that 6 of 32 DDS offices (19 percent) undergoing a Security Review during\nthe 2-year period ended September 30, 2006 did not submit a CAP in accordance with\nSSA requirements. Five of the DDS offices were late in submitting their CAPs, and the\nremaining DDS office has yet to submit a CAP.\n\nThe DDS is responsible for developing a CAP to address the deficiencies identified in\nthe Security Review report. The CAP should be submitted to CDP within 45 days of the\nSecurity Review report\xe2\x80\x99s issuance date. CDP provides the CAP to CSI. Both CDP and\n                                                                       7\nCSI monitor the corrective actions until all weakness are corrected. If a CAP is not\nsubmitted as required, there is a risk that deficiencies identified during Security Reviews\nwill not be corrected, thereby allowing unauthorized access to sensitive SSA\ninformation. For this reason, SSA should instruct CDPs and CSIs to obtain CAPs that\naddress all deficiencies identified during Security Reviews within the 45-day timeframe\nfrom all DDS offices.\n\nLate Corrective Action Plans\n\nWe reviewed 32 DDS Security Review reports that were conducted in FYs 2005 and\n2006, and found that CSIs issued all the reports within 45 days of the Security Review\nor soon thereafter. We also found most of the DDS offices submitted a CAP to address\nthe Security Review deficiencies within 45 days of the Security Review report\xe2\x80\x99s\nissuance date. However, we found that five DDS offices in three regions did not submit\na CAP to the regional CDP within 45 days of the Security Review, as shown in Table 2.\n\n\n\n\n7\n    SSA, POMS, DI 39566.140 B.2.f., DDS Compliance and Monitoring Procedures.\n\x0cPage 5 - The Commissioner\n\n\n                   Table 2: DDS Offices That Did Not Submit Timely CAPs\n                                                                             Date of\n                          Office                  Security Review          Corrective           Days\n    Region               Location                   Report Date            Action Plan          Late\n       I       Concord, New Hampshire                 3/29/06                6/21/06             39\n      III           Washington,                       6/20/06                3/01/07             209\n                 District of Columbia\n      IX        Sacramento, California                2/24/06                5/18/06             38\n                 Roseville, California                2/24/06                5/10/06             30\n                 Carson City, Nevada                  5/04/05                7/18/05             30\n\nIn Region III, we found the CDP did not effectively monitor receipt of the CAP from the\nDistrict of Columbia DDS. While the Security Review was conducted in May 2006, the\nCAP was not submitted to CDP until March 2007. When asked about the delay, CDP\nstaff stated this occurred because the DDS Director\xe2\x80\x99s attention was focused on the\nconversion to the electronic claims process and a construction project at the DDS.\nWhile we understand CAPs can be delayed because of competing priorities, 209 days\nis an unreasonable delay. The new Disability Program Administrator in the Region III\nCDP, assigned to monitor the District of Columbia DDS in January 2007, was not aware\nthe CAP had not been submitted for the 2006 Security Review. When we inquired\nabout the CAP, the DDS was contacted and the CAP was provided.\n\nMissing Corrective Action Plan\n\nIn our review of the 32 DDS Security Reviews, we found that the Ohio DDS did not\nsubmit a CAP to the Region V CDP following its Security Review. As noted earlier, the\nDDS is responsible for developing a CAP to address the deficiencies identified in the\nSecurity Review. In addition to not obtaining a CAP for the Ohio DDS, we found the\nRegion V CSI only required that the DDSs in its region take corrective action for\n                                       8\nsensitive data access deficiencies. SSA policy states that its standards for protecting\nthe DDS facilities are discretionary. 9 Furthermore, the deficiencies identified during\nDDS Security Reviews addressed physical security, and the Region V CSI considered\nrecommendations that address physical security deficiencies as suggestions that do not\nrequire corrective action. 10 Therefore, the CSI left it to the Ohio DDS\xe2\x80\x99 discretion to\ndetermine whether corrective action should be taken on physical security deficiencies.\nWe believe SSA should consider revising its discretionary standards for protecting DDS\nfacilities so that CAPs address all deficiencies identified during Security Reviews, even\nif the DDS position is that it will take no corrective action.\n\n\n\n8\n  Region V CSI staff stated that they only expected responses from the DDS offices for deficiencies\nregarding systems issues or inappropriate profile assignments.\n9\n    SSA, POMS, DI 39566.010 A., Disability Determination Services Physical Security.\n10\n Although not required by Region V CSI, the Indiana and Michigan DDSs did submit CAPs to Region V\nCDP on their own initiative.\n\x0cPage 6 - The Commissioner\n\n\nSSA policy also instructs DDSs that are unable to meet a guideline for physical security\nto prepare a risk assessment plan to determine whether some or all of the discretionary\n                                                        11\nmeasures should be included in their security program. In its Security Review of the\nOhio DDS office, the Region V CSI recommended corrective actions to address\ndeficiencies found with (1) open shredder bins that contained sensitive information,\nsuch as earnings, dates of birth and social security numbers; (2) cases left on desks\nand cabinets overnight; and (3) after-hours cleaning. The Security Review report also\nreflects that CSI reminded the Ohio DDS to prepare a risk assessment. Additionally,\nthe Region V CSI informed us that it had plans to request the DDSs in the region to\nperform a risk assessment on physical security deficiencies.\n\nDEFICIENCIES NOT CORRECTED\n\nWe found 29 of 122 deficiencies (24 percent) at 5 of the 9 DDSs we reviewed had not\n                                    12\nbeen corrected as of February 2007. Specifically, 20 of the unresolved deficiencies\nwere identified in FY 2005, and 9 were identified in FY 2006. The deficiencies were in\nthe areas of systems access, perimeter and internal office security, incident reporting,\nand emergency preparedness and recovery.\n\nThe DDSs initiated corrective action for nine deficiencies identified during the Security\nReviews. However, the completion of corrective actions was delayed for six of the nine\ndeficiencies because the DDSs were located in facilities that were controlled by State or\nprivate property managers (see Table 3). Therefore, the DDSs were required to obtain\napproval to make modifications necessary to correct the deficiencies identified during\nthe Security Reviews. In addition, completion was delayed for three deficiencies\nbecause the DDSs had to seek guidance from SSA.\n\n                       Table 3: Corrective Actions Initiated but Delayed\n                                   Date         Delayed Actions     Delayed Actions\n                                 Security       Due to DDS in a       While DDS\n                                 Review          State/Private      Awaits Guidance     Total Delayed\n Region          Location       Performed           Facility           from SSA            Actions\n      III       Roanoke,         February               1                                     1\n                 Virginia         2005\n      VI      Albuquerque,      March 2005              1                   1                 2\n              New Mexico        March 2006              2                   2                 4\n      IX      Carson City,         May                  2                                     2\n                 Nevada           2005\n Total                                                  6                   3                 9\n\nFor the remaining 20 deficiencies identified during the Security Reviews, the DDSs\nindicated that corrective action was not planned. As shown in Table 4, corrective\n\n11\n     SSA, POMS, DI 39566.010 A., Disability Determination Services Physical Security.\n12\n  The 122 deficiencies were identified during Security Reviews conducted at 9 DDSs in 9 regions in FYs\n2005 and 2006. We did not visit Region II because there were few deficiencies reported at the Region\xe2\x80\x99s\nDDSs.\n\x0cPage 7 - The Commissioner\n\n\nactions were not planned for 17 of the 20 deficiencies because the DDSs considered\nalternative controls were in place that were sufficient to ensure employees sensitive\ndata and equipment were protected. Also, corrective actions were not planned for\ntwo deficiencies because the DDS did not consider it necessary since the DDS was\nplanning to relocate the office. Additionally, one deficiency was not corrected because\nthe DDS was not aware of SSA\xe2\x80\x99s retention requirements and did not consider corrective\naction necessary because it could rely on its Regional Office to provide documents not\nretained at the DDS.\n                       Table 4: Corrective Actions Not Planned\n                                  Date\n                                Security       Number of\n                                Review         Corrective          Reason Corrective Action is Not\n     Region     Location       Performed        Actions                      Planned\n       III      Roanoke,        February            2         Relocation of DDS office planned.\n                 Virginia         2005\n       IV       Raleigh,       September            5         DDS office stated it had alternative\n                  North           2006                        controls.\n                Carolina\n       VI     Albuquerque,       March              1         DDS office was unaware of retention\n              New Mexico         2005                         requirements.\n      VII       St. Louis      September            8         DDS office stated it had alternative\n                 (North),        2005                         controls.\n                Missouri\n       IX     Carson City,        May               4         DDS office stated it had alternative\n                 Nevada           2005                        controls.\n      Total                                         20\n\nSSA policy stipulates both CDP and CSI will monitor the corrective actions until all\nweaknesses are corrected. 13 Joint responsibility is assigned because many of the\nactions necessary to accomplish corrective action involve both CSI and CDP. 14\nHowever, the policy does not specify what duties each component is to perform in the\nmonitoring process. We believe the lack of specific responsibilities for each component\nmay create a risk that effective monitoring might not occur. SSA officials informed us\nthat they are developing an automated system for the DDS Security Reviews that\nshould alleviate the uncertainty about each regional component\xe2\x80\x99s responsibilities to\nmonitor corrective actions and whether corrective actions have been taken.\n\n\n\n\n13\n     SSA, POMS, DI 39566.140 B.2.f., DDS Compliance and Monitoring Procedures.\n14\n  CDP has overall responsibility for the DDSs, and CSI has responsibility for oversight/monitoring of\nsecurity.\n\x0cPage 8 - The Commissioner\n\n\nAlso, SSA policy does not require that CDP or CSI ensure DDS offices implement\ncorrective actions within a specific timeframe. However, we found that SSA field\n       15                                                    16\noffices and the Office of Disability Adjudication and Review are required to validate\nthat corrective actions have been implemented within 90 days.\n\nIf deficiencies identified during Security Reviews are not resolved, there is a risk of\nunauthorized access to sensitive SSA information if DDS or SSA systems are\ncompromised. Further, for the deficiencies related to the lack of Continuity of\nOperations Plans and Disaster Recovery Plans, a DDS may not be able to recover\ntimely if a disaster impacts its facility. We believe SSA should clearly define the\nresponsibilities, by component, for monitoring the progress of corrective actions taken\non deficiencies identified during DDS Security Reviews to minimize risk to SSA and\nDDS information and systems. Establishing specific timeframes, such as 90-day\nintervals, for CDPs to contact DDS offices and validate that corrective actions have\nbeen implemented on all deficiencies identified during Security Reviews would ensure\nmore timely resolution. As part of this resolution process, we believe SSA still needs to\nfollow up on corrective actions for the 29 deficiencies we identified as unresolved to\ndetermine whether corrective actions are necessary.\n\nUPDATE CHECKLIST FOR ADDITIONAL SECURITY CONCERNS\n\nThe DDS Security Self-Review Checklist that is used during the Security Review\nprocess did not address the new security concerns for protecting personally identifiable\ninformation (PII). Specifically, the checklist did not require that CSI determine whether\nlaptop computers and related storage media are properly secured. A June 2006\nmessage from the Chief Information Officer to all SSA employees, contractors and DDS\nemployees gave examples of failures to protect PII, including \xe2\x80\x9cleaving an unprotected\ncomputer containing SSA information in a non-secure space\xe2\x80\x9d and \xe2\x80\x9cstoring electronic\nfiles containing SSA information on a computer, flash drive, compact disc, etc. that\nother people can access.\xe2\x80\x9d\n\n\n\n\n15\n  After a field office has received a final report on the findings and recommendations for corrective action,\nthe field office manager has 45 days to develop a CAP to address any deficiencies noted in the final\nreport. Also, the Area Director for the field office must validate the CAP within 90 days of receipt. For\nmore information on the field office process, see our September 2007 audit, Compliance with Onsite\nSecurity Control and Audit Review Requirements at Field Offices (A-02-07-27021), page 2.\n16\n   After a hearing office has received an Onsite Security Control and Audit Review report, the hearing office\nmanager has 30 calendar days to respond (either directly or through its regional office) with a report of the\ncorrective actions planned and/or taken. Also, the office should forward, within 90 days of issuing the\ncorrective action report, a validation report stating that corrective actions have been implemented. For more\ninformation on the hearing office process, see our September 2007 audit, Onsite Security Control and Audit\nReview at Hearing Offices (A-12-07-17080), page 2.\n\x0cPage 9 - The Commissioner\n\n\nAlso, the DDS Security Self-Review Checklist did not require that CSI address the\nfollowing POMS security requirements.\n\n\xe2\x80\xa2\n                                                        17,18\n      The computer room door is solid wood core.\n\xe2\x80\xa2     Users lock or logoff the workstation or terminal prior to leaving it unattended. 19\n\nSuch security weaknesses could result in a possible risk of unauthorized disclosure of\nsensitive SSA data as well as the loss of system hardware and software. SSA should\nupdate the DDS Security Self-Review Checklist to make it consistent with recent PII\nguidance and POMS security requirements.\n\nCONCLUSION AND RECOMMENDATIONS\nWhile we found the Security Review process for the DDS offices to be generally\neffective in both selecting DDSs for review and correcting identified deficiencies,\nimprovements can be made to the Security Review process. We recommend SSA:\n\n1. Ensure that regional CSIs review all DDS offices every 5 years or provide written\n   justification if Security Reviews will not be performed.\n\n2. Instruct regional CDPs and CSIs to obtain CAPs that address all deficiencies\n   identified during Security Reviews within the 45-day timeframe from all DDS offices.\n\n3. Consider revising the Agency\xe2\x80\x99s discretionary standards for protecting DDS facilities\n   so that CAPs address all deficiencies identified during Security Reviews, even if the\n   DDS position is that it will take no corrective action.\n\n4. Clearly define the responsibilities, by component, for monitoring the progress of\n   corrective actions taken on deficiencies identified during Security Reviews.\n\n5. Establish specific timeframes, such as 90-day intervals, for CDPs to contact DDS\n   offices and validate that corrective actions have been implemented on all\n   deficiencies identified during Security Reviews.\n\n6. Follow up on the 29 deficiencies we identified as unresolved to determine if\n   corrective actions are necessary.\n\n7. Update the DDS Security Self-Review Checklist to make it consistent with recent PII\n   guidance and POMS security requirements.\n\n17\n     SSA, POMS, DI 39566.010 B.2.I., DDS Physical Security.\n18\n  Although the DDS Security Self-Review Checklist did not include a requirement to check with\nconstruction material of the computer room door, Region VII CSI noted that the computer room doors at\nthe Missouri DDS did not meet the standards identified in POMS.\n19\n     SSA, POMS, DI 39566.001 C.14.b., Scope of Privacy and Security Subchapter.\n\x0cPage 10 - The Commissioner\n\n\nAGENCY COMMENTS\nSSA generally agreed with six of the seven recommendations and has begun taking\ncorrective actions where possible (see Appendix C). However, SSA disagreed with our\nrecommendation to consider revising the Agency\xe2\x80\x99s discretionary standards for\nprotecting DDS facilities.\n\nOIG RESPONSE\n\nWe agree with SSA that the intent of its DDS security policy is that CAPs should\naddress all deficiencies identified during Security Reviews. For this reason, we still\nbelieve that SSA should consider revising its discretionary standards for protecting DDS\nfacilities so that CAPs address all deficiencies identified during Security Reviews.\n\n\n\n\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                             Appendix A\n\nAcronyms\nCAP    Corrective Action Plan\nCDP    Center for Disability Programs\nCSI    Center for Security and Integrity\nDDS    Disability Determination Services\nDRP    Disaster Recovery Plan\nFY     Fiscal Year\nIDS    Intrusion Detection System\nMCR    Management Control Review\nPII    Personally Identifiable Information\nPOMS   Program Operations Manual System\nSSA    Social Security Administration\n\x0c                                                                                  Appendix B\n\nScope and Methodology\nTo accomplish our objective, we:\n\n\xe2\x80\xa2     Reviewed the Social Security Administration\xe2\x80\x99s (SSA) Management Control Review\n      Program and related Federal requirements.\n\xe2\x80\xa2     Reviewed SSA policy and procedures, as well as prior Office of the Inspector\n      General audits and other independent reviews, related to system and physical\n      security at Disability Determination Services (DDS) offices.\n\xe2\x80\xa2     Contacted Center for Security and Integrity (CSI) staff in each of the 10 SSA\n      regional offices to determine their methodology for selecting DDS offices for\n      Security Reviews.\n\xe2\x80\xa2     Obtained data from CSI staff in each region to determine whether the DDSs were\n      being reviewed in accordance with SSA\xe2\x80\x99s policies and procedures. We identified\n      89 Security Reviews conducted from October 1, 2001 through September 30,\n            1\n      2006.\n\xe2\x80\xa2     Reviewed 32 Security Review reports issued from October 1, 2004 through\n      September 30, 2006 to determine whether (1) CSI issued the report within 45 days\n      from the date of the review and (2) the DDS provided a Corrective Action Plan within\n      required 45 days.\n\xe2\x80\xa2     Reviewed the Security Reviews conducted between October 1, 2004 and\n      September 30, 2006 and identified 225 deficiencies. We selected Security Reviews\n                                                         2\n      conducted at 9 DDS offices with 122 deficiencies. We contacted relevant DDS/CSI\n      personnel to verify appropriate corrective actions occurred.\n\xe2\x80\xa2     Reviewed the DDS Security Self-Review Checklist and solicited ideas from CSI and\n      other SSA staff to identify additional steps SSA can take to enhance the Security\n      Review process.\n\nWe found data used for this audit were sufficiently reliable to meet our objectives. The\nentities audited were SSA\xe2\x80\x99s Center for Security and Integrity and the Office of Disability\nDeterminations, both under the Deputy Commissioner for Operations. We performed\nour audit in Kansas City, Missouri, and Chicago, Illinois, between October 2006 and\nAugust 2007 in accordance with generally accepted government auditing standards.\n\n\n\n1\n    There are 52 DDSs; however, several states have multiple DDS sites.\n2\n We did not select a Security Review from Region II because there were few deficiencies reported in the\nRegion\xe2\x80\x99s DDSs.\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:      January 15, 2008                                                      Refer To:   S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, "Compliance with Disability Determination\n           Services Security Review Requirements\xe2\x80\x9d (A-05-07-17082)--INFORMATION\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our response to the report findings and\n           recommendations are attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, "COMPLIANCE WITH DISABILITY DETERMINATION SERVICES\nSECURITY REVIEW REQUIREMENTS\xe2\x80\x9d (A-05-07-17082)\n\n\nThank you for the opportunity to review and provide comments on this draft report. We note that\nyou generally found our procedures effective for selecting Disability Determination Services\n(DDS) offices and that we ensure correction of deficiencies that are identified through the\nsecurity reviews. The draft report made suggested improvements to the security review process.\nFor the most part, we agree with the recommendations, and have already begun taking corrective\nactions, where possible. However, several of the recommendations may require a change in\npolicy and will involve more in-depth discussions before final decisions can be made.\n\nOur responses to the specific recommendations are provided below:\n\nRecommendation 1\n\nEnsure that regional Centers for Security and Integrity (CSI) review all DDS offices every 5 years\nor provide written justification if Security Reviews will not be performed.\n\nComment\n\nWe agree. On December 28, 2007, we issued reminders to the CSIs to ensure that, where\npossible all DDSs are reviewed within the 5-year period. We also reminded them of the need for\nwritten justification when a review will not be performed.\n\nRecommendation 2\n\nInstruct regional Centers for Disability Programs (CDP) and CSIs to obtain corrective action\nplans (CAPs) that address all deficiencies identified during Security Reviews within the 45-day\ntimeframe from all DDS offices.\n\nComment\n\nWe agree with the intent of the recommendation. The intent of the DDS security Program\nOperations Manual System (POMS) is that the CAPs should address all deficiencies identified\nduring the review. Our POMS currently instructs the DDS to submit their CAPs to the regional\noffice within 45 days after completion of the security review. The regional office is responsible\nfor working with the DDSs to ensure that the CAP addresses all of the deficiencies. We will\nconsider updating our POMS to emphasize the regional office oversight responsibilities.\n\n\n\n\n                                               C-2\n\x0cRecommendation 3\n\nConsider revising the Agency\xe2\x80\x99s discretionary standards for protecting DDS facilities so that\nCAPs address all deficiencies identified during Security Reviews, even if the DDS position is\nthat it will take no corrective action.\n\nComment\n\nWe disagree. Some areas of POMS provide discretionary guidelines based on regulations found\nin 20 C.F.R. (Subpart Q). These regulations outline the basic responsibilities for SSA and the\nState.\n\nWhere a potential deficiency is cited that falls under the discretionary guidelines of POMS, we\ninstruct the DDS to conduct a risk assessment to determine appropriate corrective action. The\nresults of the risk assessment are considered part of the site\'s CAP. The regional CDP reviews\nthe risk assessment to determine final outcome. Depending on the specific circumstances, the\nregional office may consult with the Office of Disability Determinations on whether the issue can\nbe considered closed.\n\nRecommendation 4\n\nClearly define the responsibilities, by component, for monitoring the progress of corrective\nactions taken on deficiencies identified during Security Reviews.\n\nComment\n\nWe agree with the intent of the recommendation. We will consider revising the DDS security\nPOMS to clearly delineate the regional office oversight responsibilities. The draft POMS will\nneed to be reviewed by the regional office and appropriate headquarters components for\nconcurrence before implementing.\n\nRecommendation 5\n\nEstablish specific timeframes, such as 90-day intervals, for CDPs to contact DDS offices and\nvalidate that corrective actions have been implemented on all deficiencies identified during\nSecurity Reviews.\n\nComment\n\nWe agree. We will revise the DDS security POMS to include instructions for providing follow-\nups at 90-day intervals until all deficiencies have been addressed or risk assessments have been\nconducted and agreed on as an appropriate course of action.\n\n\n\n\n                                               C-3\n\x0cRecommendation 6\n\nFollow up on the 29 deficiencies we identified as unresolved to determine if corrective actions\nare necessary.\n\nComment\n\nWe agree. We have reviewed the 29 deficiencies and provided an update for each one. All of\nthe deficiencies cited have been addressed and resolved and are now considered closed. A copy\nof the corrective actions has been provided under separate cover.\n\nRecommendation 7\n\nUpdate the DDS Security Self-Review Checklist to make it consistent with recent Personal\nIdentifying Information (PII) guidance and POMS security requirements.\n\nComment\n\nWe agree. We will revise the DDS Security Self-Review Checklist to include current security\nguidance.\n\n\n\n\n                                               C-4\n\x0c                                                                     Appendix D\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Walter Bayer, Director, Chicago Audit Division (312) 353-0331\n\n   Shannon Agee, Audit Manager, Kansas City Audit Division (816) 936-5590\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Tonya Coffelt, Senior Auditor\n\n   Elizabeth Ju\xc3\xa1rez, Senior Auditor\n\n   Kim Beauchamp, Writer-Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-05-07-17082.\n\x0c                           DISTRIBUTION SCHEDULE\n\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                         Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure program\nobjectives are achieved effectively and efficiently. Financial audits assess whether SSA\xe2\x80\x99s\nfinancial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash flow.\nPerformance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs and\noperations. OA also conducts short-term management and program evaluations and projects on\nissues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'